News in 2010

2010-12-30: release 0.8.0 of nss-pam-ldapd
This is the first release in the 0.8 series of nss-pam-ldapd, a
new development branch of nss-pam-ldapd in which a number of new
features and implementations are introduced. As such, this isn't the most
stable version of nss-pam-ldapd but users are urged to try out
this release and send feedback.
Note that the 0.7 branch will be supported with bug and security fixes at
least until the 0.8 branch has stabilised.
A summary of the changes since 0.7.13:

include an experimental partial implementation of nslcd in Python
(disabled by default, see --enable-pynslcd configure
option)

implement a nss_min_uid
option to filter user entries returned by LDAP

implement a rootpwmodpw
option that allows the root user to change a user's password without
a password prompt

try to update the shadowLastChange attribute on password
change

all log messages now include a description of the request to more
easily track problems when not running in debug mode

allow attribute mapping expressions for the userPassword
attribute for passwd, group and shadow entries and by default map it
to the unmatchable password ("*") to avoid accidentally leaking
password information

numerous compatibility improvements

add --with-pam-seclib-dir and --with-pam-ldap-soname
configure options to allow more control of hot to install the PAM
module

add --with-nss-flavour and --with-nss-maps configure
options to support other C libraries and limit which NSS modules to
install

allow tilde (~) in user and group names

improvements to the timeout mechanism (connections are now actively
timed out using the idle_timelimit
option)

set socket timeouts on the LDAP connection to disconnect regardless of
LDAP and possibly TLS handling of connection

better disconnect/reconnect handling of error conditions

some code improvements and cleanups and several smaller bug fixes

all internal string comparisons are now also case sensitive (e.g. for
providing DN to username lookups, etc)

signal handling in the daemon was changed to behave more reliable
across different threading implementations

nslcd will now always return a positive authorisation result
during authentication to avoid confusing the PAM module when it is
only used for authorisation

Debian packaging improvement: implement configuring SASL
authentication using Debconf, based on a patch by Daniel Dehennin

2010-08-28: release 0.7.9 of nss-pam-ldapd
This is an update for the 0.7 series that brings some small improvements.
This should be a reasonably stable and well tested release.
A summary of the changes since 0.7.8:

fix for --with-nss-ldap-soname configure option by Julien
Cristau

Debian packaging improvements

Get this release from the downloads section.
With this release the 0.7 series will be in bugfixes-only mode. It will
still receive bugfixes and security support for some time but not any major
new features.
See the mailing list post for more details.

2010-08-18: release 0.7.8 of nss-pam-ldapd
This is an update for the 0.7 series that brings some small improvements.
This should be a reasonably stable and well tested release.
A summary of the changes since 0.7.7:

2010-07-03: release 0.7.7 of nss-pam-ldapd
This is an update for the 0.7 series that brings some small improvements.
This should be a reasonably stable and well tested release.
A summary of the changes since 0.7.6:

refactoring and simplification of PAM module which also improves
logging

implement a nullok PAM option and disable empty passwords by
default

portability improvements and other minor code improvements

the mechanism to disable name lookups through LDAP from within the
nslcd process has been improved

the undocumented use_sasl option has been removed (specifying
sasl_mech now implies use_sasl)

the sasl_mech, sasl_realm, sasl_authcid,
sasl_authzid and sasl_secprops configuration options
are now documented

2010-05-27: release 0.7.6 of nss-pam-ldapd
This is an update for the 0.7 series that fixes a bug and brings some
small improvements.
This should be a reasonably stable and well tested release.
A summary of the changes since 0.7.5:

fix a problem with empty attributes if expression-based attribute
mapping is used (patch by Nalin Dahyabhai)

2010-05-14: release 0.7.5 of nss-pam-ldapd
This is an update for the 0.7.4 release that mainly fixes an annoying
bug when using the minimum_uid PAM option and includes some
improvements to the PAM module (20% code reduction with
new features added).
A summary of the changes since 0.7.4:

fix a problem in the session handling of the PAM module if the
minimum_uid option was used

refactor the PAM module code to be simpler and better maintainable

perform logging from PAM module to syslog and support the
debug option to log more information

2010-05-09: release 0.7.4 of nss-pam-ldapd
This is an update for the 0.7 series that fixes some bugs and brings some
new functionality.
This should be a reasonably stable and well tested release.
A summary of the changes since 0.7.3:

add an nss_initgroups_ignoreusers option to ignore user name
to group lookups for the specified users

add an pam_authz_search option to perform a flexible
authorisation check on login (e.g. to restrict which users can login
to which hosts, etc)

implement a minimum_uid option for the PAM module to ignore
users that have a lower numeric user id

change the way retries are done to error out quicker if the LDAP
server is down for some time (this should make the system more
responsive when the LDAP server is unavailable) and rename the
reconnect_maxsleeptime option to reconnect_retrytime
to better describe the behaviour

2010-02-27: release 0.7.3 of nss-pam-ldapd
This is an update for the 0.7 series that fixes some bugs and brings some
new functionality.
This should be a reasonably stable and well tested release.
A summary of the changes since 0.7.2:

allow password modification by root using the rootpwmoddn
configuration file option (the user will be prompted for the password
for rootpwmoddn instead of the user's password)

the LDAP password modify EXOP is first tried without the old password
and if that fails retried with the old password

when determining the domain name (used for some value of the
base and uri options) also try to use the hostname
aliases to build the domain name (patch by Jan Schampera)

perform locking on the pidfile on start-up to ensure that only one
nslcd process is running and implement a --check option
(patch by Jan Schampera)

2010-01-22: announcing nss-pam-ldapd mailing lists
To improve participation and sharing of ideas for the nss-pam-ldapd
project, three mailing lists have been set up.
These lists are open for subscription by anyone and have public
on-line archives.

The
nss-pam-ldapd-announce
mailing list will be used for announcements of new releases,
security advisories and any other important news regarding
nss-pam-ldapd.

The
nss-pam-ldapd-commits
mailing list can be used to keep up with the day-to-day commits to
the project.

The
nss-pam-ldapd-users
mailing list is a general discussion list for the project. Please send
your questions and patches there.

These pages contain no frames, blinking stuff, animated gifs, ads, trackers, do not require Javascript and are not optimised for any specific screen resolution or browser and should be standards compliant.